You know that little “Not Secure” warning you sometimes see in Chrome? Get ready to see it a lot more. In a major push to secure the last corners of the internet, Google is preparing to flip a switch that will more aggressively warn users anytime they land on a website that isn’t using an encrypted HTTPS connection.

This isn’t just a pop-up; it’s a fundamental change in how Chrome will handle web traffic, effectively making secure connections the mandatory default, not just a recommendation.

For years, Google Chrome has been the web’s biggest bouncer, politely—and then not-so-politely—shooing users away from sketchy sites. You’ve likely seen the “Your connection is not private” message. This typically shows up when a site tries to be secure (it has HTTPS) but has fumbled the setup, perhaps with an expired or misconfigured certificate.

But this new move is different. It expands the warning to target websites that don’t even try to use HTTPS at all. These are the “HTTP-only” sites, the digital equivalent of sending a postcard through the mail—readable by anyone who bothers to look.

So, what’s the big deal?

To understand why Google is making this move, it helps to know what “HTTPS” actually means.

• HTTP (Hypertext Transfer Protocol): This is the classic, old-school way your browser talks to a website. The problem? It’s a completely open conversation. If you’re at a coffee shop, in an airport, or on any public Wi-Fi, a “man-in-the-middle” attacker on the same network can easily eavesdrop on everything you do. They can see what you’re reading, steal the passwords you type, and even inject their own malicious code or fake ads into the page you’re looking at. It’s like sending a postcard—every postman along the route can read your message.
• HTTPS (Hypertext Transfer Protocol Secure): This is the modern, secure standard. That “S” means your connection to the website is encrypted. It creates a secure, private tunnel between you and the server. Even if that same attacker at the coffee shop intercepts your traffic, all they see is scrambled, unreadable garbage. It’s the digital equivalent of a sealed, tamper-proof envelope.

Google has been pushing for “HTTPS Everywhere” for over a decade, and it’s worked. According to their own data, secure HTTPS connections now make up between 95 and 99 percent of all web traffic on Chrome.

“This level of adoption is what makes it possible to consider stronger mitigations against the remaining insecure HTTP,” Google explained in its recent announcement. With the vast majority of the web already onboard, Google is ready to get tough on the stragglers.

The phased rollout: when is this happening?

Google isn’t just flipping a switch overnight, which would likely cause chaos for some older, unmaintained sites. The rollout is planned in careful phases.

1. April 2026: The change will first apply to users who have already opted into Chrome’s “Enhanced Safe Browsing” protections. This is a tech-savvy group that’s less likely to be confused by the new warnings and can provide good feedback.
2. Starting “next October” 2026: After the initial test phase, Google plans to make this the default behavior for everyone starting around October 2026.

When this is active, Chrome will first try to automatically upgrade any HTTP link you click to its HTTPS version. If the site doesn’t support it, then you’ll see the full-page warning before you’re allowed to proceed.

The one big wrinkle: your home router

There’s one major exception to this “HTTPS-everywhere” dream: private websites.

Google notes that “the largest contributor to insecure HTTP” isn’t actually public websites, but private ones. Think about the admin page for your home Wi-Fi router (that 192.168.1.1 address you type in) or an internal company portal.

It’s notoriously difficult (and often pointless) for these devices to get a valid, public HTTPS certificate. Google understands this. “HTTP navigations to private sites can still be risky, but are typically less dangerous than their public site counterparts,” the company says, acknowledging that it’s harder for an attacker to intercept your home network traffic than your coffee shop traffic.

While the new warnings will apply to these sites, Google is treading carefully to avoid a situation where you’re constantly fighting security warnings just to manage your own network.

Can you turn it off? (and should you?)

Yes, users will still have control. If this all sounds like too much, you’ll be able to dive into Chrome’s settings and disable the “Always Use Secure Connections” feature.

But unless you’re a developer or have a very specific reason, you should probably leave it on. This change is part of a long-overdue cleanup of the web. It’s moving the internet’s security baseline from “opt-in” to “default,” making encryption the standard and forcing the last insecure holdouts to finally catch up.

For the average person, this is nothing but good news. It means a safer, more private browsing experience, with your browser automatically standing guard against the web’s remaining unsecured doors.